Redistribute User-ID Information From Prisma Access to an On-Premise Firewall
Focus
Focus

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Table of Contents

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Shows the steps you take to redistribute User-ID information from Prisma Access to an on-premise firewall.
In cases where mobile users need to access a resource on a remote network location or HQ/data center and the resource is secured by an on-premises next-generation firewall with user-based policies, you must redistribute IP address-to-user name mapping from the Prisma Access mobile users and users at remote networks to the on-premises firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping and stores it.
The following figure shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a either a service connection (SC-CAN) or remote network connection (RN-SPN) to the on-premises firewall that secures the HQ/data center.
Prisma Access uses the service connection or remote network connection as an IPSec tunnel that serves as the underlay path to the Layer 3 network. You can use any route path over an IPSec trusted tunnel for privately addressed destinations to redistribute this mapping.
To redistribute User-ID mappings from Prisma Access to an on-premises firewall, complete the following steps.
Make sure you do not apply any SSL decryption on any connection that redistributes user identity to the on-premises firewall (the SC-CAN or RN-SPN), including any firewalls that are in the redistribution path. Alternatively, you can apply a decryption exclusion to the redistribution traffic.
  1. Make a note of the IP address to use when you configure the data redistribution agent.
    • For remote network connections, find the
      EBGP Router
      address (
      Panorama
      Cloud Services
      Status
      Network Details
      Remote Networks
      EBGP Router
      ).
    • For service connections, find the
      User-ID Agent Address
      (
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      ).
  2. Configure Prisma Access as a User-ID agent that redistributes user mapping information.
    1. In the Panorama that manages Prisma Access, select
      Device
      Data Redistribution
      Collector Settings
      .
      To configure the collector on a service connection, select the
      Service_Conn_Template
      ; to configure the collector on a remote network connection, select the
      Remote_Network_Template
    2. Click the gear icon to edit the settings.
    3. Provide a
      Collector Name
      and a
      Collector Pre-Shared Key
      to identify Prisma Access as a User-ID agent.
    4. Click
      OK
      to save your changes.
  3. Configure the on-premises firewall to collect the User-ID mapping from Prisma Access.
    1. From the on-premises firewall, select
      Device
      Data Redistribution
      Agents
      .
    2. Add
      a User-ID Agent and give it a
      Name
      .
    3. Select
      Host and Port
      .
    4. Enter the
      User-ID Agent Address
      (for a service connection) or
      EBGP Router Address
      (for a remote network connection) from Prisma Access in the
      Host
      field.
    5. Enter the
      Collector Name
      and
      Collector Pre-Shared Key
      for the Prisma Access collector you created in Step 2.
    6. Select
      IP User Mappings
      .
    7. Click
      OK
      .
    8. Repeat these steps for each service connection or remote network connection for which you want to redistribute mappings.

Recommended For You